(RADIATOR) Newbie EAP-TLS Difficulties

[Dekelbaum, Robert]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi folks, 

 I'm currently trying to get Radiator 3.5 demo to do 802.1x auth via
EAP-TLS with a cisco 
1200-series AP and a WindowsXP supplicant, and I'm having a bit of an
issue. I'm relitively 
new to 802.1x/EAP and it's been quote a while since I've had to frob
w/ RADIUS, so please bear
with me.

I've set up all of my certs, etc as described in Ken Roser's EAP-TLS
w/ Freeradius doc (including
the EKU stuff), and what is transpiring is in the Radiator debug log
included below. It looks as 
if Radiator is sending challenges to the client and getting no
response. Has anybody else seen 
and fixed this behavior in a similar setup? If so, what am I missing?
I'm using the 
goodies/eap-tls.conf supplied with Radiator (edited only to fix paths
to my CA structure, etc).

Thanks in advance for any help,

Rob Dekelbaum
Wireless Network Engineer
ACS Defense, Inc


Wed Mar 26 13:02:17 2003: DEBUG: Reading dictionary file
'./dictionary'
Wed Mar 26 13:02:17 2003: DEBUG: Creating authentication port
192.168.12.101:1645
Wed Mar 26 13:02:17 2003: DEBUG: Creating accounting port
192.168.12.101:1646
Wed Mar 26 13:02:17 2003: INFO: Server started: Radiator 3.5 on
devbox (DEMO)
Wed Mar 26 13:02:58 2003: DEBUG: Packet dump:
*** Received from 192.168.12.212 port 1024 ....
Code:       Access-Request
Identifier: 0
Authentic:  <214><147>O,<23>Ki<225><15><239><194><0><140><22><201>q
Attributes:
        User-Name = "deker"
        cisco-avpair = "ssid=ap1200"
        NAS-IP-Address = 192.168.12.212
        Called-Station-Id = "000c30529a80"
        Calling-Station-Id = "000ab78b3c05"
        NAS-Identifier = "AP1200-529a80"
        NAS-Port = 37
        Framed-MTU = 1400
        NAS-Port-Type = 19
        Service-Type = Login-User
        EAP-Message = <2><2><0><10><1>deker
        Message-Authenticator = <216><251>f<246>><212><4>._v<8><29>w<130>Po

Wed Mar 26 13:02:58 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Mar 26 13:02:58 2003: DEBUG:  Deleting session for deker,
192.168.12.212, 37
Wed Mar 26 13:02:58 2003: DEBUG: Handling with Radius::AuthFILE: 
Wed Mar 26 13:02:58 2003: DEBUG: Handling with EAP: code 2, 2, 10
Wed Mar 26 13:02:58 2003: DEBUG: Response type 1
Wed Mar 26 13:02:58 2003: DEBUG: Access challenged for deker: EAP TLS
Challenge
Wed Mar 26 13:02:58 2003: DEBUG: Packet dump:
*** Sending to 192.168.12.212 port 1024 ....
Code:       Access-Challenge
Identifier: 0
Authentic:  <214><147>O,<23>Ki<225><15><239><194><0><140><22><201>q
Attributes:
        EAP-Message = <1><3><0><6><13> 
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Mar 26 13:02:58 2003: DEBUG: Packet dump:
*** Received from 192.168.12.212 port 1025 ....
Code:       Access-Request
Identifier: 1
Authentic:  "24z<166><159><233>G<199>D<226>f<18><1><225><231>
Attributes:
        User-Name = "deker"
        cisco-avpair = "ssid=ap1200"
        NAS-IP-Address = 192.168.12.212
        Called-Station-Id = "000c30529a80"
        Calling-Station-Id = "000ab78b3c05"
        NAS-Identifier = "AP1200-529a80"
        NAS-Port = 37
        Framed-MTU = 1400
        NAS-Port-Type = 19
        Service-Type = Login-User
        EAP-Message =
<2><3><0>P<13><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>><130><22>k
<232><249><5><248><136>G[<11><226>V"<131>0<157><142>"<153>B<<163>$<192
><139><198><20><247>Y<158><0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<
0><3><0><6><0><19><0><18><0>c<1><0>
        Message-Authenticator =
<160><226><166>W<176><7>g<18><133><249>Ke<22>pPn

Wed Mar 26 13:02:58 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Mar 26 13:02:58 2003: DEBUG:  Deleting session for deker,
192.168.12.212, 37
Wed Mar 26 13:02:58 2003: DEBUG: Handling with Radius::AuthFILE: 
Wed Mar 26 13:02:58 2003: DEBUG: Handling with EAP: code 2, 3, 80
Wed Mar 26 13:02:58 2003: DEBUG: Response type 13
Wed Mar 26 13:02:58 2003: DEBUG: Access challenged for deker: EAP TLS
Challenge
Wed Mar 26 13:02:58 2003: DEBUG: Packet dump:
*** Sending to 192.168.12.212 port 1025 ....
Code:       Access-Challenge
Identifier: 1
Authentic:  "24z<166><159><233>G<199>D<226>f<18><1><225><231>
Attributes:
        EAP-Message =
<1><4><4><10><13><192><0><0><6>n<22><3><1><0>J<2><0><0>F<3><1>><129><2
35>R`<171><161>DGf<218>i<137><251><236>2<226><243><218>?6<180><250><25
><169><221><136><153>3<225>'<1>
{<9><131><249><25><22>S<15><209><175><189><214><12>eD<209>^<146>
G<135>p<157><13>*<178><169><224><220><186><192>8<0><4><0><22><3><1><5>
a<11><0><5>]<0><5>Z<0><2><150>0<130><2><146>0<130><1><251><160><3><2><
1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><16
2>1<11>0<9><6><3>U<4><6><19><2>US1<17>0<15><6><3>U<4><8><19><8>Marylan
d1<17>0<15><6><3>U<4><7><19><8>Elkridge1<20>0<18><6><3>U<4><10><19><11
>ACS
Defense1<11>0<9><6><3>U<4><11><19><2>IS1<29>0<27><6><3>U<4><3><19><20>
radius.itserealm.c
        EAP-Message =
om1+0)<6><9>*<134>H<134><247><13><1><9><1><22><28>[EMAIL PROTECTED]
- -inc.com0<30><23><13>030317111516Z<23><13>040316111516Z0b1<11>0<9><6><
3>U<4><6><19><2>US1<17>0<15><6><3>U<4><8><19><8>Maryland1<20>0<18><6><
3>U<4><10><19><11>ACS
Defense1<11>0<9><6><3>U<4><11><19><2>IS1<29>0<27><6><3>U<4><3><19><20>
radius.itserealm.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><
1><5><0><3><129><141><0>0<129><137><2><129><129><0><205><226><146><140
>l}<175><216><211>,9-<15><236><208><205><226><224>^ck<236>t<30><213><8
><228>-g<168>'<222>w<195>v<129>|<24>|<254>W&W<242><12>
        EAP-Message =
>k<253><156><134><171><208><236><227><177><2><199>v<209><222><235>DW9<
216><6>Ox<187><250>:<246><242><206><195>]<251><246>Yd<128><0><3><207><
251><202>><11><192><220><31>$<150><213><20><163><14><133><231><227>v<1
58><151><228><208>b4<24><249>q0<204><141>\&<212></<10>L<207><16>7v<219
><167>CM<2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><
8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0
><3><129><129><0>X<255><185>E<190><128><191>gD<31><1><180>J6|a<211>_<2
30><24>-<154>y<151>
<238><144><5><10><167><236>'<3><178>`<165><4>]<253><187><254>PNy<166><
184>^<207>:<180>o<183><166><239><240><139>X<8><176><209>K<10>4e<226>$<
171>F<190><211><202>:%E~5RrapFn<26><14><208>kb<25><4><21><13>~<202><16
5><185>*<213>m<0>vR<186><23>C<162>t<11><19><16>bv<206><202>&<234><245>
+n(<163><227>
        EAP-Message =
<156><30>(<154>U<254><229><0><2><190>0<130><2><186>0<130><2>#<160><3><
2><1><2><2><1><0>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129>
<162>1<11>0<9><6><3>U<4><6><19><2>US1<17>0<15><6><3>U<4><8><19><8>Mary
land1<17>0<15><6><3>U<4><7><19><8>Elkridge1<20>0<18><6><3>U<4><10><19>
<11>ACS
Defense1<11>0<9><6><3>U<4><11><19><2>IS1<29>0<27><6><3>U<4><3><19><20>
radius.itserealm.com1+0)<6><9>*<134>H<134><247><13><1><9><1><22><28>ro
[EMAIL PROTECTED]<30><23><13>030317104856Z<23><13>0503161048
56Z0<129><162>1<11>0<9><6><3>U<4><6><19><2>U
        EAP-Message = S1<17>0<15><6><3>U<4><8><19><8>Maryland1<17>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Mar 26 13:02:58 2003: DEBUG: Packet dump:
*** Received from 192.168.12.212 port 1026 ....
Code:       Access-Request
Identifier: 2
Authentic:  u<26><173><142><138>4<137><225><182><153>j<0>3<252>gD
Attributes:
        User-Name = "deker"
        cisco-avpair = "ssid=ap1200"
        NAS-IP-Address = 192.168.12.212
        Called-Station-Id = "000c30529a80"
        Calling-Station-Id = "000ab78b3c05"
        NAS-Identifier = "AP1200-529a80"
        NAS-Port = 37
        Framed-MTU = 1400
        NAS-Port-Type = 19
        Service-Type = Login-User
        EAP-Message = <2><4><0><6><13><0>
        Message-Authenticator =
<246><144>R<128><142><147><224><226>%<220><173><252><165><171>}l

Wed Mar 26 13:02:58 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Mar 26 13:02:58 2003: DEBUG:  Deleting session for deker,
192.168.12.212, 37
Wed Mar 26 13:02:58 2003: DEBUG: Handling with Radius::AuthFILE: 
Wed Mar 26 13:02:58 2003: DEBUG: Handling with EAP: code 2, 4, 6
Wed Mar 26 13:02:58 2003: DEBUG: Response type 13
Wed Mar 26 13:02:58 2003: DEBUG: Access challenged for deker: EAP TLS
Challenge
Wed Mar 26 13:02:58 2003: DEBUG: Packet dump:
*** Sending to 192.168.12.212 port 1026 ....
Code:       Access-Challenge
Identifier: 2
Authentic:  u<26><173><142><138>4<137><225><182><153>j<0>3<252>gD
Attributes:
        EAP-Message =
<1><5><2>t<13><0>0<15><6><3>U<4><7><19><8>Elkridge1<20>0<18><6><3>U<4>
<10><19><11>ACS
Defense1<11>0<9><6><3>U<4><11><19><2>IS1<29>0<27><6><3>U<4><3><19><20>
radius.itserealm.com1+0)<6><9>*<134>H<134><247><13><1><9><1><22><28>ro
[EMAIL PROTECTED]<129><159>0<13><6><9>*<134>H<134><247><13><
1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><218>D<186><1
43><201>g<138>5<198><131><130><230><211>5L<163>S<14><135><17><184><231
>{<24><139>w<208>p<30><251>n<1><181><27><157><132>Y<227><255>#-<25>-<2
05><231><184>=+<246><163><225>$<198><130><202><133><148><162><134>C><1
56>@<150>Ek<226><<248><223><169><187><236>x<2><136>K<131>
g<9><231><147><31>$<0><238><171><245>?
        EAP-Message =
<245>~<228>k<19><127><249>&l<130>J<239><235><3>:<12>8<6>zY<13>e<171><2
12><219>]<160><152><12><152><228><201><235><182>W8<224>=<2><3><1><0><1
>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0><173>x
<178><239><141><11><170><144><137><25><6><225>#,H[<244><168><133><207>
p<4><136><135><214><231>-;Q<223><187><163>c<215><133>+<181><222><198>$
<22><185>@_<134><19><244><161>"<133><181><216>3N<156><9>%<206>1A`Z<195
><19><223><203>l<183><138><133><228><165>}<128><227><206>,<145>x4<17><
184><0><<209>@<21><132>Q<26>L<231><188><175><248><197><178>*L\1<234><2
46><22><141>4<178><135>v
UT!<164>u=<143><238>iz<208>(><202><189><236><142><149><22><3><1><0><18
0><13><0><0><172><2><1><2><0><167><0><165>0<129><162>1<11>0<9><6><3>U<
4><6><19><2>US1<17>0<15><6><3>U<4><8><19><8>Maryland1<17>0<15><6><3>U<
4><7><19><8>E
        EAP-Message = lkridge1<20>0<18><6><3>U<4><10><19><11>ACS
Defense1<11>0<9><6><3>U<4><11><19><2>IS1<29>0<27><6><3>U<4><3><19><20>
radius.itserealm.com1+0)<6><9>*<134>H<134><247><13><1><9><1><22><28>ro
[EMAIL PROTECTED]<14><0><0><0>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Mar 26 13:02:58 2003: DEBUG: Packet dump:
*** Received from 192.168.12.212 port 1027 ....
Code:       Access-Request
Identifier: 3
Authentic: 
m<209><25><200>5<243>i<174><128><152><2><204><151><236><250>]
Attributes:
        User-Name = "deker"
        cisco-avpair = "ssid=ap1200"
        NAS-IP-Address = 192.168.12.212
        Called-Station-Id = "000c30529a80"
        Calling-Station-Id = "000ab78b3c05"
        NAS-Identifier = "AP1200-529a80"
        NAS-Port = 37
        Framed-MTU = 1400
        NAS-Port-Type = 19
        Service-Type = Login-User
        EAP-Message =
<2><5><3><215><13><128><0><0><3><205><22><3><1><3><157><11><0><2><141>
<0><2><138><0><2><135>0<130><2><131>0<130><1><236><160><3><2><1><2><2>
<1><1>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><162>1<11>0
<9><6><3>U<4><6><19><2>US1<17>0<15><6><3>U<4><8><19><8>Maryland1<17>0<
15><6><3>U<4><7><19><8>Elkridge1<20>0<18><6><3>U<4><10><19><11>ACS
Defense1<11>0<9><6><3>U<4><11><19><2>IS1<29>0<27><6><3>U<4><3><19><20>
radius.itserealm.com1+0)<6><9>*<134>H<134><247><13><1><9><1><22><28>ro
[EMAIL PROTECTED]<30><23><13>030317105216Z<23><13>0403161052
16Z
        EAP-Message =
0S1<11>0<9><6><3>U<4><6><19><2>US1<17>0<15><6><3>U<4><8><19><8>Marylan
d1<20>0<18><6><3>U<4><10><19><11>ACS
Defense1<11>0<9><6><3>U<4><11><19><2>IS1<14>0<12><6><3>U<4><3><19><5>d
eker0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129>
<141><0>0<129><137><2><129><129><0><172><19>w)<170>6/<211><218><208><1
33>a<14>Y<207>R<0><173><241>T<29><187>8!<228><247><169><183>i;<8><238>
<31><161><162><9><198>4&UV$<182>~Q<145><153><137><202><0>[<171>)<189><
244>.
.D<136>b<197>:<196>D<216><5>r<3><19>^<173>U%<163><211><215>E<221><211>
<153>^<221>|<237><167>/M<175><179>[<254>U<29><198><172><24><228>b<130>
<185><227><189><8>0*<219><224><166><27><23>w<28><190><161><160><201><1
47>\Jy<18><10>C<167>wX<163><2><3><1><0><1><163><23>0<21>0<19>
        EAP-Message =
<6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><2>0<13><6><9>*<134>H
<134><247><13><1><1><4><5><0><3><129><129><0><185><223><224><30>p2<246
>D<206>Vk<170><130><155>><2>Z.<159><131><246>B/<250><151>b<167><185>G<
199>:<234>f.Pon*3<193><165>s<161>2Db<202>D<2><188><197><245><14><226>,
<140>6<130>[<127>n<196>;<12>o<22><9>H<206><217><211>O%<9><213>3<222><2
21><2><25><138><196><dG<246><206><28>p<200><239>+L<250>h<243><221><148
><250><7><141><143><146>;9<236><167>$<20><209><0><177>T<14><150><206><
225><170>Vei<25><216><24>c<26><15><12><16><0><0><130><0><128>{ad<144>J
<234><206><216><191>N<138><7><211>s<181><252><188><242><20><187>s<167>
<140>Vg[<147><173><19>
<166><238><143><29>0<177><157><138>3<197>'K<205>BU<173><160><166>|<206
>j<241><205><145><11><213><145><170>
7<163>c;<200><199><230><148>)t<4><252><127><211>N<1><133><16>\<218><22
1><174>
        EAP-Message =
o<199>}<133><25><207><201>lE<207><140>Z<7>'<255><147><153>#\<160>b.<3>
<172><23><245><226><19><163>P<169><181><189><228><3><0><179><212><154>
<188>&<206><<180><220><225>A<15><0><0><130><0><128>21Y_T<208><193>K4<8
><231><17><135>
?Up<143>B<207><131>^^<195><139><188><147><248><186>'K<233>Y<168><224><
229><127><20><246><180><246><151><207>?kr<181>FS<159>j<203>8<241>o<137
><25><144><243><15><147>|p<9>L<174>XP<148>?<132>$C<17><227><240>@@X<17
5>A<137>><138><209><145><191><173><165><131><184>Z<214><160><238><146>
<147><205>1<152>RY<167><169><29>D<207><13><132>(M<161><244><30><15>Ku<
194><199>H<198><12><171>C<1><235>V<8><20><3><1><0><1><1><22><3><1><0>
<182><189><30>~<251><13><206>4<152><211><188><231><140>|ly1])<246><2><
171><127><24><146><136>=7<6>2<176><255>
        Message-Authenticator =
D<135>u<228><147>j<10><238>or<2>M|<205>"<177>

Wed Mar 26 13:02:58 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Mar 26 13:02:58 2003: DEBUG:  Deleting session for deker,
192.168.12.212, 37
Wed Mar 26 13:02:58 2003: DEBUG: Handling with Radius::AuthFILE: 
Wed Mar 26 13:02:58 2003: DEBUG: Handling with EAP: code 2, 5, 983
Wed Mar 26 13:02:58 2003: DEBUG: Response type 13
Wed Mar 26 13:02:58 2003: DEBUG: Access challenged for deker: EAP TLS
Challenge
Wed Mar 26 13:02:58 2003: DEBUG: Packet dump:
*** Sending to 192.168.12.212 port 1027 ....
Code:       Access-Challenge
Identifier: 3
Authentic: 
m<209><25><200>5<243>i<174><128><152><2><204><151><236><250>]
Attributes:
        EAP-Message =
<1><6><0>5<13><128><0><0><0>+<20><3><1><0><1><1><22><3><1><0>
^<227>t<195><18>s<137><243>n<212>G<177><27><200><6><177>"<229><20><169
><177>f<154><3><224><13>z(<241><194><9><179>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.1

iQA/AwUBPoMfS0oorm5NFqhaEQK8sACfZS/k8KeUWxBMZK+BAy9hEppgEq8AoK0p
W1Cf6x1oaSd+zBTaPISic5Un
=Srzl
-----END PGP SIGNATURE-----
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.